Amazon Linux 2 Security Advisory: ALAS2-2026-3266
Advisory Released Date: 2026-04-30
Advisory Updated Date: 2026-04-30
Severity:
Medium
Issue Overview:
Use-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST in libpng before 1.6.57. Passing a pointer returned by the corresponding getter back into the setter causes the setter to read from a stale pointer after freeing the internal buffer, leading to corrupted chunk data and potential heap information disclosure. (CVE-2026-34757)
Affected Packages:
libpng
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update libpng or yum update --advisory ALAS2-2026-3266 to update your system.
New Packages:
aarch64:
libpng-1.5.13-8.amzn2.0.9.aarch64
libpng-devel-1.5.13-8.amzn2.0.9.aarch64
libpng-static-1.5.13-8.amzn2.0.9.aarch64
libpng-debuginfo-1.5.13-8.amzn2.0.9.aarch64
i686:
libpng-1.5.13-8.amzn2.0.9.i686
libpng-devel-1.5.13-8.amzn2.0.9.i686
libpng-static-1.5.13-8.amzn2.0.9.i686
libpng-debuginfo-1.5.13-8.amzn2.0.9.i686
src:
libpng-1.5.13-8.amzn2.0.9.src
x86_64:
libpng-1.5.13-8.amzn2.0.9.x86_64
libpng-devel-1.5.13-8.amzn2.0.9.x86_64
libpng-static-1.5.13-8.amzn2.0.9.x86_64
libpng-debuginfo-1.5.13-8.amzn2.0.9.x86_64